Integrating Data Resiliency to Splunk® SIEM

Edit online

Directly send data to Splunk® Enterprise platform using HTTP Event Collector (HEC) by integrating Data Resiliency Service with Splunk®. This integration facilitates real-time detection, investigation, and response to security threats.

Considerations
  • You can download IBM® Storage Defender® App for Splunk®. The IBM Storage Defender App for Splunk® enables seamless integration with Defender, allowing users to automatically generates the alerts for Potential Threat Events and visualize events into Splunk® for real-time monitoring, analysis, and reporting.

    Refer to the link to download Splunk® IBM Storage Defender App for Splunk®: https://splunkbase.splunk.com/app/7568

  • Refer to the link for Splunk® configuration document: Splunk configuration document

Prerequisites:

  1. Ensure that you run the Splunk® Enterprise platform and the HTTP Event Collector (HEC) is enabled with indexer acknowledgment and is SSL Enabled.
    Note: Only Public CA certificates are supported.
  2. Create an HEC token to configure Splunk®. For more information, see Splunk configuration document.
  3. Verify that the HEC Health Check is active.

Procedure:

Complete the following steps to connect Data Resiliency Service to Splunk®.
  1. Login to IBM Storage Defender console.
  2. Click the hamburger menu on the upper-left of the page.
  3. Click Data Resiliency > Integrations.
  4. Click Splunk® SIEM.
  5. Click Add connection . Verify that you have completed the prerequisite steps.
  6. Click Proceed.
  7. Specify the SIEM hostname and HEC port for the connection to IBM Storage Defender and the associated connection manager.
    Note: Select a HEC port in the range between 0 to 65535, except for port 5000, which is not allowed.
    Note: Ensure that the specified HEC port is not blocked by a firewall.
    Note: Ensure that the HEC (HTTP Event Collector) port matches the one specified in the command, if applicable.
    
firewall-cmd --zone=public --permanent --add-port=8090/tcp
    Sample command output
    firewall-cmd --zone=public --permanent --add-port=8090/tcp
Warning: ALREADY_ENABLED: 8090:tcp
success

Check the Terms & Condition checkbox and click Connect.

Wait for few minutes to get the connection added. On successful connection, the status becomes active.

Note: When a connection manager is already associated with a Splunk® host, users are not allowed to use the same connection manager to add another Splunk® host. In that case, use a different connection manager.
Note: For more information, see Creating Alerts and Dashboard.

Actions for IBM Storage Defender events

Steps for a potential threat:
  1. Login to IBM Storage Defender console.
  2. On the Data Resiliency Service home page, click Recovery Groups.
  3. Select the recovery group from which you received the SIEM event.
  4. On the Recovery Group Protection dashboard, complete the following steps:
    1. Select the appropriate recovery point and click Activate recovery plan if required.
    2. Select the clean room profile that you want to use.
    3. Click Done.
    4. Wait for the recovery to complete.
    5. Validate the resources are working as expected and then use the recovery point for production restore.
Steps for a missed heartbeat:
  1. Login to IBM Storage Defender console.
  2. On the Data Resiliency Service home page, click Recovery Groups.
  3. Select the recovery group from which you received the SIEM event.
  4. Go to Active threat tab. View the virtual machine hostname for the Missed heartbeat event in the timeline section.
  5. Login to the virtual machine that has the missed heartbeat event, and run the following command to verify that the sensor is working properly:
    systemctl status defender-sensor

    A sample output of the command is shown as follows:

    defender-sensor.service - IBM Storage Defender Sensor service
     Loaded: loaded (/usr/lib/systemd/system/defender-sensor.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-05-15 17:42:44 MST; 3h 47min ago
   Main PID: 1326 (defender-sensor)
      Tasks: 3 (limit: 48928)
     Memory: 291.9M
        CPU: 50.419s
     CGroup: /system.slice/defender-sensor.service
             ├─1326 /usr/bin/bash /usr/bin/defender-sensor
             └─1327 /opt/ibm/defender/venv/bin/python3 -m espial.monitor

May 15 17:42:44 skrill-vm7.storage.tucson.ibm.com systemd[1]: Starting IBM Storage Defender Sensor service...
May 15 17:42:44 skrill-vm7.storage.tucson.ibm.com systemd[1]: Started IBM Storage Defender Sensor service.
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,098 INFO: Starting version 2.0.4-1713905626
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,142 INFO: Config file: /etc/opt/ibm/defender/defender-sensor.conf
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,533 INFO: Configured file systems: ['all']
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,534 INFO: Discovered file systems: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,534 INFO: File systems to monitor: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:50 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:50,535 INFO: Monitoring file systems: ['/', '/boot', '/boot/efi', '/data', '/home>
May 15 17:42:51 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:51,093 INFO: Authenticating to server
May 15 17:42:52 skrill-vm7.storage.tucson.ibm.com defender-sensor[1327]: 2024-05-15 17:42:52,521 INFO: Initialization complete